Skip to content

Commit 18b809c

Browse files
ibetitsmikeibetitsmike
committed
taking a step back with RBAC
1 parent 8d4fa5a commit 18b809c

File tree

4 files changed

+54
-48
lines changed

4 files changed

+54
-48
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 41 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1088,9 +1088,9 @@ func (q *querier) AcquireNotificationMessages(ctx context.Context, arg database.
10881088
}
10891089

10901090
func (q *querier) AcquireProvisionerJob(ctx context.Context, arg database.AcquireProvisionerJobParams) (database.ProvisionerJob, error) {
1091-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1092-
return database.ProvisionerJob{}, err
1093-
}
1091+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1092+
// return database.ProvisionerJob{}, err
1093+
// }
10941094
return q.db.AcquireProvisionerJob(ctx, arg)
10951095
}
10961096

@@ -2309,30 +2309,31 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
23092309
}
23102310

23112311
func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
2312-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2313-
return nil, err
2314-
}
2312+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2313+
// return nil, err
2314+
// }
23152315
return q.db.GetProvisionerJobsByIDs(ctx, ids)
23162316
}
23172317

23182318
func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
2319-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2320-
return nil, err
2321-
}
2319+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2320+
// return nil, err
2321+
// }
2322+
// policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)
23222323
return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
23232324
}
23242325

23252326
func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context, arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow, error) {
2326-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2327-
return nil, err
2328-
}
2327+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2328+
// return nil, err
2329+
// }
23292330
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx, arg)
23302331
}
23312332

23322333
func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
2333-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2334-
return nil, err
2335-
}
2334+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2335+
// return nil, err
2336+
// }
23362337
return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
23372338
}
23382339

@@ -3528,23 +3529,27 @@ func (q *querier) InsertPresetParameters(ctx context.Context, arg database.Inser
35283529
}
35293530

35303531
func (q *querier) InsertProvisionerJob(ctx context.Context, arg database.InsertProvisionerJobParams) (database.ProvisionerJob, error) {
3531-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3532-
return database.ProvisionerJob{}, err
3533-
}
3532+
// TODO: Remove this once we have a proper rbac check for provisioner jobs.
3533+
// Currently ProvisionerJobs are not associated with a user, so we can't
3534+
// check for a user's permissions. We'd need to check for the associated workspace
3535+
// and verify ownership through that.
3536+
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3537+
// return database.ProvisionerJob{}, err
3538+
// }
35343539
return q.db.InsertProvisionerJob(ctx, arg)
35353540
}
35363541

35373542
func (q *querier) InsertProvisionerJobLogs(ctx context.Context, arg database.InsertProvisionerJobLogsParams) ([]database.ProvisionerJobLog, error) {
3538-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3539-
return nil, err
3540-
}
3543+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3544+
// return nil, err
3545+
// }
35413546
return q.db.InsertProvisionerJobLogs(ctx, arg)
35423547
}
35433548

35443549
func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.InsertProvisionerJobTimingsParams) ([]database.ProvisionerJobTiming, error) {
3545-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3546-
return nil, err
3547-
}
3550+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3551+
// return nil, err
3552+
// }
35483553
return q.db.InsertProvisionerJobTimings(ctx, arg)
35493554
}
35503555

@@ -4168,16 +4173,16 @@ func (q *querier) UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg dat
41684173
}
41694174

41704175
func (q *querier) UpdateProvisionerJobByID(ctx context.Context, arg database.UpdateProvisionerJobByIDParams) error {
4171-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4172-
return err
4173-
}
4176+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4177+
// return err
4178+
// }
41744179
return q.db.UpdateProvisionerJobByID(ctx, arg)
41754180
}
41764181

41774182
func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg database.UpdateProvisionerJobWithCancelByIDParams) error {
4178-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4179-
return err
4180-
}
4183+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4184+
// return err
4185+
// }
41814186

41824187
job, err := q.db.GetProvisionerJobByID(ctx, arg.ID)
41834188
if err != nil {
@@ -4246,16 +4251,16 @@ func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg da
42464251
}
42474252

42484253
func (q *querier) UpdateProvisionerJobWithCompleteByID(ctx context.Context, arg database.UpdateProvisionerJobWithCompleteByIDParams) error {
4249-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4250-
return err
4251-
}
4254+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4255+
// return err
4256+
// }
42524257
return q.db.UpdateProvisionerJobWithCompleteByID(ctx, arg)
42534258
}
42544259

42554260
func (q *querier) UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx context.Context, arg database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams) error {
4256-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4257-
return err
4258-
}
4261+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4262+
// return err
4263+
// }
42594264
return q.db.UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx, arg)
42604265
}
42614266

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3892,7 +3892,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
38923892
}))
38933893
s.Run("GetProvisionerJobsCreatedAfter", s.Subtest(func(db database.Store, check *expects) {
38943894
_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{CreatedAt: time.Now().Add(-time.Hour)})
3895-
check.Args(time.Now()).Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead)
3895+
check.Args(time.Now()).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
38963896
}))
38973897
s.Run("GetTemplateVersionsByIDs", s.Subtest(func(db database.Store, check *expects) {
38983898
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -3978,7 +3978,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
39783978
a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
39793979
b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
39803980
check.Args([]uuid.UUID{a.ID, b.ID}).
3981-
Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead).
3981+
Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ ).
39823982
Returns(slice.New(a, b))
39833983
}))
39843984
s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
@@ -4022,26 +4022,26 @@ func (s *MethodTestSuite) TestSystemFunctions() {
40224022
OrganizationID: j.OrganizationID,
40234023
Types: []database.ProvisionerType{j.Provisioner},
40244024
ProvisionerTags: must(json.Marshal(j.Tags)),
4025-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4025+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40264026
}))
40274027
s.Run("UpdateProvisionerJobWithCompleteByID", s.Subtest(func(db database.Store, check *expects) {
40284028
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40294029
check.Args(database.UpdateProvisionerJobWithCompleteByIDParams{
40304030
ID: j.ID,
4031-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4031+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40324032
}))
40334033
s.Run("UpdateProvisionerJobWithCompleteWithStartedAtByID", s.Subtest(func(db database.Store, check *expects) {
40344034
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40354035
check.Args(database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams{
40364036
ID: j.ID,
4037-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4037+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40384038
}))
40394039
s.Run("UpdateProvisionerJobByID", s.Subtest(func(db database.Store, check *expects) {
40404040
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40414041
check.Args(database.UpdateProvisionerJobByIDParams{
40424042
ID: j.ID,
40434043
UpdatedAt: time.Now(),
4044-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4044+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40454045
}))
40464046
s.Run("InsertProvisionerJob", s.Subtest(func(db database.Store, check *expects) {
40474047
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -4051,19 +4051,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {
40514051
StorageMethod: database.ProvisionerStorageMethodFile,
40524052
Type: database.ProvisionerJobTypeWorkspaceBuild,
40534053
Input: json.RawMessage("{}"),
4054-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionCreate)
4054+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionCreate */ )
40554055
}))
40564056
s.Run("InsertProvisionerJobLogs", s.Subtest(func(db database.Store, check *expects) {
40574057
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40584058
check.Args(database.InsertProvisionerJobLogsParams{
40594059
JobID: j.ID,
4060-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4060+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40614061
}))
40624062
s.Run("InsertProvisionerJobTimings", s.Subtest(func(db database.Store, check *expects) {
40634063
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40644064
check.Args(database.InsertProvisionerJobTimingsParams{
40654065
JobID: j.ID,
4066-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4066+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40674067
}))
40684068
s.Run("UpsertProvisionerDaemon", s.Subtest(func(db database.Store, check *expects) {
40694069
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -4279,7 +4279,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
42794279
check.Args([]uuid.UUID{uuid.New()}).Asserts(rbac.ResourceSystem, policy.ActionRead)
42804280
}))
42814281
s.Run("GetProvisionerJobsByIDsWithQueuePosition", s.Subtest(func(db database.Store, check *expects) {
4282-
check.Args([]uuid.UUID{}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead)
4282+
check.Args([]uuid.UUID{}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
42834283
}))
42844284
s.Run("GetReplicaByID", s.Subtest(func(db database.Store, check *expects) {
42854285
check.Args(uuid.New()).Asserts(rbac.ResourceSystem, policy.ActionRead).Errors(sql.ErrNoRows)

coderd/database/queries.sql.go

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

site/src/api/rbacresourcesGenerated.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ export const RBACResourceActions: Partial<
130130
update: "update a provisioner daemon",
131131
},
132132
provisioner_jobs: {
133+
create: "create provisioner jobs",
133134
read: "read provisioner jobs",
134135
update: "update provisioner jobs",
135136
},

0 commit comments

Comments
 (0)